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Embodiments of the present invention relate to a virtual private network 
capable of having a plurality of mobile nodes, to the components of the 
network and to the methods and processes used within the network. 

A Virtual Private Network (VPN) provides a network-like connection via a 
public network, such as the Internet. Remote components of the VPN appear to 
a user as if they are physically connected via dedicated communication cables, 
when in fact the pubUc network may form at least part of tiie connection 
between them. 

As the VPN may use a public network, security measures must be taken 
to prevent unauthorised users hacking into the VPN. The Internet Engineering 
Task Force (IETF) has developed the Internet Protocol Secmity OPsec) standard, 
which is suitable for securing the VPN. The IPsec standard specifies an 
extension to TCP/IP that utilizes data encryption and digital encryption 
technology to positively identify a user or network component. Implementation 
of EPsec, or an equivalent security protocol, on a VPN results in a Secure Virtual 
Private Network (SVPN). 

A SVPN has a Security Gateway placed at the interface between a private 
secured network and the public unsecured network. Ihe private secured 
network forms an internal portion of the VPN, whereas those parts of the VPN 
which are part of the public network are external portions of the VPN. 

The SVPN is a packet switching network in which data is sent as packets. 
Each packet has a data payload and a header. The header includes the address 
of the origin of the data and the address of the destination of the data. The 
addresses used may be public DP addresses or private IP addresses. A public 
address is a globally uaiique address, whereas a private address is unique in the 
VPN but not necessarily globally. 
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A Security Association (SA) is a context defining a virtual simplex 
comiection between two end points that affords security services to liie traffic 
carried between those end points. To secure bi-dtrectional communication 
between two nodes, two Security Associations (one in each direction) are 
required tn both nodes. Among other things each context indicates an 
authentication and/or encryption algoritibm and a secret (a shared key, or 
appropriate public/private key pair). 

Each node has a Security Policy Database (SPD) and a Security 
Assodation Database (SAD). The SPD specifies the treatment of every inbound 
and outbound packet. It also indicates which SA or SA bundle in SAD should be 
used, if any. The SPD maps traffic to a SAD entry, which has tiie SA parameters 
for the traffic The Encapsulating Security Payload (ESP) [RFC2406] is one type 
of Security Association and it provides confidentiality, data origbi 
authentication, connectionless integrity, anti-replay service and limited traffic 
flow confidentiality. 

MobileXPvS (MIPv6) allows a mobile node (MN) to move fiwm one link to 
another without changing the mobile node's IP address (Home Address). Thus a 
mobile node is always addressable by its Home Address (HoA). 

The HoA is an IP address assigned, for an extended period of time, to the 
mobile node within its home network. It is a "static" identifier and therefore 
remains unchanged regardless, of which link a mobile node uses to link to the 
network. 

The home network has a network prefix matchhig tiiat of a mobUe node's 
HoA and packets destined for a mobile node's HoA will be delivered to the 
mobile node's Home Network. The mobile node may also be attached to other 
networks other than the home network, these are called Visited Networks. 

The MN is able to maintain its static identifier (HoA) and communicate in 
Visited Networks by associating a dynamic identifier (Care-of-Address) with the 
static identifier (HoA) while moving outside its home network. The Care-of- 
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Address (CoA) reflects the MN current point of attachment. The association of 
the HoA and CoA is stored in a Home Agent (HA) and correspondent nodes (CN) 
and is referred to as a "binding" or "mobility binding" when combined with the 
lifetime of the association. 

The HA is a router in the home network which tunnels packets for 
delivery to the mobile node when it is away fh)m the home network, and 
maintains current location information for the mobile node. The HA intercepts 
a packet sent to the HoA of the MN, encapsulates the intercepted packet using 
Type 2 Routing Header and sends it to the CoA of the MN. When the MN 
receives the packet in its CoA, it removes the Routing Header where the HoA 
was and forwards the packet internally to Hie HoA. 

The mobile node generally uses its HoA as the end point of all its 
communications, and the CoA as the source address of all IP packets that it 
sends. These packets are delivered to their destination via normal IP routing 
mechanisms. Packets sent to the mobile node do not necessarily pass through 
die HA if the CoA is known to the correspondent node. 

When the MN moves to a Visited Network, the MN detects this and 
obtains a CoA on the Visited network. It then sends a Binding Update to the HA 
and any correspondent node. A correspondent node is a mobile or stationary 
peer with which a mobile node is communicating. The Binding Update registers 
the new CoA of the MN. 

MIPv6 provides for route optimisation via return routability and binding 
updates. The CoA Is sent to the HA and to tilie CN, therefore CN messages can 
be routed directly to the CoA and need not go via tiie HA. 

IPsec Is mandatory for IPv6. In a combination of MEPvS and IPsec, MIPv6 
confirms the validity of the end points, and IPsec can be used for protecting the 
actual traffic between those end points. From tiie IPsec point of view, the SAs 
simply take place between two static addresses, the HoA of the MN and the 
regular address of the CN. 



4 

In a SVPN with mobile nodes, each MN has or creates two pairs of SAs, 
one with the SG and the other with its HA. The SVPN can be considered to have 
an internal portion which is connected to the public network via a Security 
Gateway (SG) and a external portion connected to and forming part of the 
public network. 

If internal addressing is used, communication between a MN, which is in 
the external portion of the SVPN and any other node of tbe SVPN occurs via tiie 
SAs between the MN and the SG. Thus if one MN, e.g. MNl, which is in the 
external portion of the SVPN, is communicating with another MN, e.g. MN2, 
which is also in the external portion of the SVPN, then all conmiunications 
between MNl and MN2 will be via the SG using the SA pairs between MNl and 
the SG and MN2 and the SG. There should not be direct coramunication between 
MNl and MN2 via the pubUc network because the internal addresses are 
ambiguous (not globally unique) and therefore traffic using them is not 
properly routable in the public network and also because security could be 
compromised. This results in inefficient routing. 

If extemal addressing is used, communication between one MN, e.g. MNl, 
which is in the extemal portion of the SVPN, and another MN, e.g. MN2, which 
is also in the extemal portion of the SVPN, can be directly between MNl and 
MN2 after they exchange return routability and binding messages. This 
provides for efficient but insecure communication unless a pair of up-to-date 
SAs between MNl and MN2 already exists in both nodes. 

It would be desirable to improve secure virtual private networks having 
mobile nodes by providing efficient and secure routing for communications 
between mobile nodes of the network. 

According to first aspect of the present invention there is provided a 
gateway for connecting an extemal portion of a network to an internal secured 
portion of the network wherein the gateway is arranged to identify 
automatically when a communication session exists between two mobile 
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workstations both of which are connected in the external portion of the 
network. 

Embodiments of this aspect of the invention provide for detection of 
when two mobile workstations (MNl & MN2) are commnnicattng via the gateway 
(SG). This detection may, in embodunents of the invention, initiate a 
mechanism that allows the mobile workstations to communicate witiiout using 
the gateway as an intermediary. This, in tmn, allows the route by which packets 
are transferred between the first mobile workstation (MNl) and the second 
mobile workstation (MN2) to be optimised. 

According to another aspect of the invention there is provided a network 
including an internal secured portion which cozmects, via a gateway to an 
external portion, the network comprising a plurality of workstations including 
mobile workstation^ the gateway and secure communication means by which 
information is transferable securely to a first mobile workstation in the external 
portion of the network via the gateway and by which Information is transferable 
securely to a second mobile workstation in the external portion of the network 
via the gateway; and information transfer means located within the internal 
secured portion of the network or within the gateway and arranged to send, 
using the secure communication means, an identifier of the second mobile 
workstation to the first mobile workstation for use as an address in a packet 
originating from the first mobUe workstation and destined for the second 
mobile workstation. 

Embodiments of this aspect of the invention provide an identifier of the 
second mobile workstation (MN2) securely to the first mobile workstation 
(MNl). This identifier may allow the first mobile workstation (MNl) to 
communicate with the second mobile workstation (MN2) without using the 
gateway (SG) as an intermediary. Tliis, in turn, allows the route by which 
packets are transferred between the first mobile workstation (MNl) and llie 
second mobile workstation (MN2) to be optimised. The identifier may be the 
external Home Address of the second mobile workstation (MN2). 
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According to a furtiier aspect of the present invention there is provided a 
virtual private network including an internal secured portion which connects, 
via a gateway to an external portion, the network being arranged to 
communicate wiAln the internal portion of the network using private addresses 
5 and comprising: a plurality of workstations induding mobile workstations; the 
gateway, first secure communication means by which information is 
transferable secmely to a first mobile workstation connected at the external 
portion of the network via the gateway and by which information Is transferable 
securely to a second mobile workstation connected at the external portion of 

10 the network via the gateway; and information transfer means arranged to send 
first security information to the first mobile workstation and second security 
information to the second mobUe workstation using the first secure 
commimication means, wherein the first mobile workstation uses the first 
security information and the second mobile workstation uses the second 

15 security information to enable a second secure commimication means by which 
further infonnation is transferable securely between the first mobile 
workstation and the second mobile workstation without passing through the 
gateway. 

20 Embodiments of this aspect of the Invention provide, perhaps different, 

security information to the first mobile workstation (MNl) and the second 
mobile workstation (MN2) which enables secure communications between the 
first and second mobile workstations without having to use the gateway as an 
intermediary to secure communications. 

25 

According to a still further aspect of the present invention there is 
provided a virtual private network including an internal secured portion which 
connects, via a gateway to an external portion, the network being arranged to 
communicate within the internal portion of the network using private addresses 
30 and comprising: a plurality of workstations induding mobile workstations; the 
gateway; secure communication means by which information is transferable 
securely, without passing through the gateway, between a first mobile 
workstation connected to the external portion of the network and a second 
mobile workstation connected to the external portion of the network; means for 
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dynamically updating an Identifier of the first mobile workstation as it moves 
within the external portion of the networlq means for communicating the 
updated identifier of the first mobile workstation to the second mobile 
workstation; and means for sending packets from the second mobile 
workstation to the first mobile workstation using the secure communication 
means, wherein the packets are addressed using the updated identifier of the 
first mobile workstation and are routed without necessarily passing through the 
gateway. 

Embodiments of this aspect of the Invention provide for secure 
commimications between the first and second mobile workstations wiAout 
being forced to use the gateway as an intermediary to secure communications. 
This allows the route by which packets are transferred between the first mobile 
workstation (MNl) and the second mobile workstation (MN2) to be optimised. 

For a better understanding of the present invention and to imderstand 
how the same may be brought into effect reference wiU now be made by way of 
example only to the accompanying drawings illustrating embodiments of the 
invention: 

Fig. 1 is a schematic illustration of a secure virtual private network 
(SVPN) according to one embodiment of the invention; and 

Fig. 2 is a signalling diagram of a secure virtual private network (SVPN) in 
which two mobile nodes, MNl & MN2, move into an extemal portion of the 
SVPN while communicating with each other. 

The virtual private network (VPN) 10, comprises an intemal portion 12 
which is protected by a firewall or Security Gateway (SG) 20 and an extemal 
portion 14 which uses an imsecured communications mediiun 30, such as the 
internet, to communicate with the internal portion 12 via the Security Gateway 
20. 

The VPN 10 has a file server 16 and a plurality of client workstations 
18a, 18b, 18c, 18d, 18e and 18f. The workstations 18a, 18b and 18c are desktop 
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machines within the internal portion 12 of the VPN 10 and are non-mobile 
nodes of &e VPN 10. The workstation 18d is a portable machine, in this case a 
laptop computer, which is a mobile node (MN) of the VPN 10. The workstation 
18d is currently physically located within tiie internal portion 12. The 
workstation 18e is a portable machine (a hand-portable personal digital 
assistant), which is a mobile node MNl of the VPN. The portable workstation 
18e is currently physically located in the external portion 14 of the VPN and 
connected to tiie gateway 20 via the unsecured communications medium 30. 
The workstation 18f is a portable machine (a hand-portable cellular radio 
telephone), which is a mobile node MN2 of the VPN. The portable workstation is 
currently physically located in the external portion 14 of the VPN and is 
connected to the gateway 20 via a cellular radio telephone network 32 and then 
the unsecured communications medium 30. 

The VPN 10 has a routo* 22, which provides tiie functionality of the HA 
of the mobile nodes of the VPN 10. The file sever 16, the Security Gateway 20, 
the router 22 or some other intelligence within the internal portion 12 of the 
VPN may provide the functionality of the VPN Connectivity Manager (VCM), 
which is described in more detail below. 

This embodiment relates to a Virtual Private Network (VPN) which uses 
private (not public) addresses. In the following description reference will be 
made to Fig. 2. 

The first mobile node MNl has a pair of SAs (uplink and downlink) with 
the Security Gateway (SG) and anotiher pair of SAs (uplink and downlink) with a 
VPN Connectivity Manager (VCM). The second mobile node MN2 has a pair of 
SAs (uplink and downlink) with the Security Gateway (SG) and another pair of 
SAs (uplink and downhnk) with a VPN Connectivity Manager (VCM). The Sp has 
three pairs of SAs (uplink and downlink), one pair with MNl, one pair with MN2 
and the other pair with the VCM. The VCM has three pairs of SAs (uplink and 
downlink), one pjiir with MNl, one pair with MN2 and the other pair with SG. 
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A mobfle node (MN), Security Assodatioii (SA), Home Agent (HA), 
Security Gateway (SG) are terms well understood by a person knowledgeable in 
Virtual Private Networks, Internet Protocol Security (EPsec) Protocol and Mobile 
Latemet Protocol version 6 (MIPv6). 

The VPN Connectivity Manager (VCM) is a newly devised component of a 
VPN and the Security Associations between llie VCM and MNl and MN2 are 
newly implemented Security Associations. The Security Association between a 
MN and the VCM is an Encapsulating Security Payload (ESP) SA and utilizes 
internal addresses of the VPN. 

The Security Association between the Security Gateway (SG) and the 
mobile nodes utilizes the external, public HoA of the MNs as opposed to the 
VPN internal address. 

Let us assume that there is an existing session between MNl and MN2 
and that MN2 has previously entered the external portion of titie VPN. 

When MN2 exited the internal portion of the VPN and entered the . 
external portion of the VPN, at least one of the uplink and downlink SAs 
between MN2 and the SG became active. 

Tbis activation took place as a result of the following process. Inside the 
internal portion of the VPN, either the inboimd SPD was receivhig only packets 
with addresses used inside, the VPN and/or the MIPv6 binding update list had 
only bindings with addresses used inside the VPN. When MN2 moved to the 
external portion of the VPN, the SPD started receiving packets with non-VPN 
addresses and/or tibie MIPv6 binding update list had also bhidings with non-VPN 
addresses. Because of these dianges, MN2 detected the movement to the 
external portion of the VPN. At that point, it changed the SPD policy for 
inbound VPN traffic from "no IPsec" into "use EPsec with default SG->MN2 ESP 
SA", and it changed the SPD policy for outbound VPN traffic from "no IPsec" 
into "use BPsec with default MN2->SG ESP SA". 
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In order to avoid attacks where the attacker sets up a fake network where 
the same addresses are used as inside the VPN, additional SAs may be enforced 
by the VPN owner to authenticate the messages, e-g. Router Advertisements, 
sent by nodes in the internal portion of the VPN. In this case, after a change of 
link, MN would always assume that it is in the external portion of the VPN 
unless its SPD receives such a packet and the SA processing confirms the 
audientlcation (using e.g. an existing Authentication Header (AH) SA between 
the internal node and MN2). 

The inbound SA in SG is always active, and the outbound SA is activated 
when the inbound SPD receives packets from MN2's external HoA and/or the 
MIPv6 binding cache has a binding with MN2's external HoA. 

If necessary, MN2 executes a Binding Update with the SG. Therefore the 
SG maps the external HoA of MN2 to the external CoA of MN2 and sends 
packets for the MN2 to the external CoA of MN2. 

The SG is an intermediate node in communications from and to MN2 
using private addresses. It monitors the headers of these .communications and 
stores In a cache the internal addresses of the CNs with which MN2 
communicates. The packets addressed to or sent by MN2 can be identified from 
the HoA or current CoA of MN2 in the headers. 

The SG sends a message 202 to the VCM with MN2's external HoA. The 
VCM receives the external HoA and stores it in its MN context database. The MN 
context comprises the MN internal HoA, the MN external HoA, the internal 
HoAs of correspondent nodes of the MN, and details of the managed SAs with 
identification of the relevant secrets and algorithms. The VCM may send an 
Acknowledgement message 204 to tiie SG. 

When MNl exits the internal portion of the VPN and enters tiie extemal 
portion of the VPN, at least one of the uplink and downlink SAs between MNl 
and the SG becomes active. 
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If necessary, MNl executes a Binding Update with tiie SG. Therefore the 
SG maps the external HoA of MN2 to the external CoA of MNl and sends 
packets for the MNl to the external CoA of MNl. 

The SG is an intermediate node in communications from and to MNl 
using private addresses. It monitors the headers of these commxmications and 
stores in a cache the internal addresses of the CNs with which MNl 
communicates. The packets addressed to or sent by MNl can be identified 
from the HoA or current CoA of MNl in the header. 

The SG sends a message 202 to the VCM with MNl's external HoA. 

The VCM receives the oetemal HoA and stores It in Its MN context 
database. The MN context comprises the MN internal . HoA, the MN external 
HoA, the internal HoAs of correspondent nodes of the MN, and details of the 
managed SAs with identification of the relevant secrets and algorithms. The 
VCM may send an Acknowledgement message 204 to the SG. 

The SG also detects that MNl and MN2 are involved in a session. The SG 
has a binding with MNl, If necessary, and therefore stores information relating 
the static Identifier (HoA) and dynamic Identifier (CoA) of MNl. Thus aU 
packets sent by or to MNl can be identified. The SG has a binding with MN2, if 
necessary, and therefore stores information relating the static identifier (HoA) 
and dynamic Identifier (CoA) of MN2. Thus all packets sent by or to MN2 can be 
identified. The SG detects that MNl and MN2 are in a session by detecting when 
a packet is sent from MNl to MN2 or a packet is sent from MN2 to MNl. - 

Ihe SG sends a message 202 to the VCM indicating that MNl and MN2 
are having a session. This session indication message could be combined with 
or be separate from the message informing the VCM of the ertemal HoA of 
MNl; 

VCM. receives the MN1-MN2 session indication message and may send an 
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Acknowledgement message 204 to the SG. In response to this message, tiie VCM 
creates information for an SA pair for MN1-MN2 communication. It generates 
random secrets and stores them in the MN context database tn the VCM for the 
MN1-MN2 session. In a preferred implementation the secrets are keys the 
nwnher and length of which depend on the implementation, and are 
accompanied by other SA material such as algorithm de&iition. 

The VCM sends 206 a first secret(s) defining the SA pair between MNl 
and MN2 and the external HoA of MNl to MN2 via its (hitemal) ESP SA with 
MNl. Thus there will be end-to-end security between tte VCM and the intenoal 
address of the MNl. The VCM separately sends 210 a second secret(s) defining 
the SA pair between MNl and MN2 and the external HoA of MN2 to MNl via its 
(internal) ESP SA with MN2. Thus there will be end-to-end security between the 
VCM and the internal address of the MN2. 

The MNl receives the secret(s) and the external HoA of MN2. It enters 
into its Security Association Database (SAD) a new ESP SA to tlie MN2 and a new 
ESP SA from the MN2. Each entry specifies the algorithm to be used and the 
secret(s) to be used. The MNl modifies its Security Policy Database (SPD) so that 
traffic destined for MN2 will be encrypted using one of the new SA pair and 
traffic from MN2 will be decrypted using the other one of the new SA pair. 
After first modifying the inboxmd SPD policy (traffic from MN2), MNl sends an 
Acknowledgement message 212 to the VCM which forwards it to MN2. The 
outbound SPD policy (traffic destined for MN2) is only modified after the 
reception of Acknowledgement message 208 from MN2 via VCM. This ensures 
that MN2 can decrypt the packets when they are sent by MNl. 

The MN2 receives the secret(s) and the external HoA of MNl. It enters 
into its Security Association Database (SAD) a new ESP SA to the MNl and a new 
ESP SA from the MNl. Each entry specifies the algorithm to be used and the 
secret(s) to be used. Hie MN2 modifies its Security Policy Database (SPD) so 
that traffic destined for MNl will be encrypted using one of the new SA pair and 
traffic from MNl will be decrypted using the other one of the new SA pair. 
After first modifying the inbound SPD policy (traffic from MNl), MN2 sends an 
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Acknowledgement message 208 to the VCM which fortvards it to MNl. The 
outboimd SPD policy (traffic destined for MNl) is only modified after the 
reception of Acknowledgement message 212 from MNl via VCM. This ensxires 
that MNl can decrypt the packets when they are sent by MN2. 

The new ESP SAs provide for end-to-end encryption between tiie external 
HoA of MNl and the external HoA of MN2. The packets with internal addresses 
are exchanged in the crypto tmmel between tiie external HoAs. 

The MNl uses the external HoA address to route packets to MN2. When 
MNl first sends a packet 214 encrypted by the new ESP SA to the external HoA 
of MN2, it first goes to the external HA of MN2 which forwards 216 it to the 
external CoA of MN2. After this the return routabiUty and binding process 
between the MNl and MN2 provides 218 the vernal CoA of MN2 to MNl. MNl 
uses the external CoA of MN2 to address packets 220 destined for MN2. 

The MN2 uses the external HoA address to route packets to MNl. When 
MN2 first sends packets encrypted by the new ESP SA to the external HoA of 
MNl, they first go to the external HA of MNl which forwards them to the 
external CoA of MNl. After this the return routabUity and bindtog process 
between the MN2 and MNl provides tiie ortemal CoA of MNl to MN2. MN2 uses 
the external CoA of MNl to address packets destined for MNl. 

The return routability and binding process optimises tiie route between 
the MNl and MN2 external CoAs and continues to do so as long as both MNs are 
outside the private network, witiiout SG or VCM intervention. When eltiier MNl 
or MN2 moves to a different point of attachment in die external portion of the 
VPN a handover procedure occurs to tihie new point of attachment. The 
procedure is specified by MIPv6. If MNl moves, the CoA of MNl changes and 
this change is automaticafly communicated to MN2. Thus the route between 
MNl and MN2 remains optimised. 

When either MN returns to the private network, the SA between that MN 
and the SG, which was used for communication between that MN and the 
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interior of tiie VPN, no longer receives packets. This is because the MN is now in 
the internal portion of ttie VPN and starts to send packets unencrypted witihin 
the private network. This movement from the external portion of the VPN to tiie 
internal portion of the VPN is detected in the same way as the movement from 
the internal portion of tiie VPN to tiie external portion of tiie VPN (but vice 
versa) by the SG which then informs the VCM. The VCM conunands tiie 
remaining external MN to amend its SAD and/or SPD so that it uses its ESP SA 
with tiie SG again for communication with the internal MN. 

FrnhndiwiPTit 2 

This embodiment relates to a VPN which uses public (not private) 
addresses, such as IP addresses, hi the following description reference will be 
made to Fig. 2. 

The first mobile node MNl has a pair of SAs (uplink and downlink) witii 
the Security Gateway (SG) and anotiier pair of SAs (uplink and downlink) with a 
VPN Connectivity Manager (VCM). The second mobile node MN2 has a pair of 
SAs (uplink and downlink) with the Security Gateway (SG) and another pair of 
SAs (uplink and downlink) with & VPN Connectivity Manager (VCM). The SG has 
three pairs of SAs (uplink and downlink), one pair with MNl, one pair with MN2 
and the other pair witii the VCM. The VCM has three pairs of SAs (uplink and 
downlink), one pair with MNl, one pair with MN2 and the other pair with SG. 

The SAs between the Security Gateway (SG) and tiie mobile nodes utilize 
the external, pubhc HoA of the MNs as opposed to VPN internal addresses, 
which were used in embodiment 1 but represent only a subset of public 
addresses in this embodiment. 

The SAs between a MN and the VCM Is an Boicapsulating Security Payload 
(ESP) SA and is encapsulated inside the Security Association between the SG and 
theMN. 

Let us assume that there is an existing session between MNl and MN2 
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and that MN2 has previously entered the external portion of the VPN. 

When MN2 exited the internal portion of the VPN and entered the 
external portion of the VPN, at least one of the uplink and downlink SAs 
5 between MN2 and the SG became active. This process is the same as that 
described in relation to embodiment 1. 

If necessary, MN2 executes a Binding Update witii the SG. Therefore tibie 
SG maps the HoA of MN2 to the CoA of MN2 and sends packets for the MN2 to 
10 the CoA of MN2. 

The SG is an intermediate node in communications between tiie internal 
portion of the VPN and MN2. It monitors the headers of these commimications 
and stores, in a cache the addresses of the CNs vriith which MN2 communicates. 
15 The packets addressed to or sent by MN2 can be Identified from the HoA or 
current CoA of MN2 in the headers. 

The SG sends a message 202 to the VCM with MN2's HoA. The VCM 
receives the HoA and stores it in its MN context database. The MN context 
20 comprises the MN HoA, the HoAs of the correspondent nodes of the MN, and 
details of the managed SAs with identification of the relevant secrets and 
algorithms. The VCM may send an Acknowledgement message 204 to the SG. 

When MNl exits the internal portion of the VPN and enters the external 
25 portion of the VPN, at least one of the uplink and downlink SAs between MNl 
and the SG becomes active. 

If necessary, MNl executes a Binding Update with the SG. Therefore the 
SG maps the HoA of MN2 to the CoA of MNl and sends packets for the MNl to 
30 the CoA of MNl. 

The SG is an intermediate node in communications between the internal 
portion of the VPN and MNl. It monitors the headers of these communications 
and stores in a cache the addresses of the CNs with which MNl communicates. 
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The packets addressed to or sent by MNl can be identified from the HoA or 
current CoA of MNl in the header. 

The SG sends a message 202 to the VCM with MNl's HoA. 

The VCM receives tihie HoA and stores it hi its MN context database. The 
MN context comprises the MN HoA, ilie HoAs of the correspondent nodes of the 
MN, and details of the managed SAs with identification of the relevant secrets 
and algorithms. The VQl may send an Acknowledgement message 204 to the 
SG. 

The SG also detects that MNl and MN2 are involved in a session. The SG 
has a binding with MNl, if necessary, and therefore stores information relating 
the static identifier (HoA) and dynamic identifier (CoA) of MNl. Thus all 
packets sent by or to MNl can be identified. The SG has a bfaidlng with MN2, tf 
necessary, and therefore stores information relating the static identifier (HoA) 
and dynamic identifier (CoA) of MN2. Thus aU packets sent by or to MN2 can be 
identified. The SG detects that MNl and MN2 are in a session by detecting when 
a packet is sent ft-om MNl to MN2 or a packet is sent from MN2 to MNl. 

The SG sends a message 202 to the VCM indicating that MNl and MN2 
are having a session. This session Indication message could be combined with 
or be separate from the message informing the VCM of the external HoA of 
MNl. 

VCM receives the MN1-MN2 session indication message and may send an 
Acknowledgement message 204 to the SG. hi response to this message, the VCM 
creates information for an SA pair for MN1-MN2 communications. It generates 
random secrets and stores them in Ae MN context database tn tiie VCM for the 
MNl-»fflJ2 session. In a preferred implem^tation the secrets are keys the 
numb^ and length of which depend on xhe implementation, and are 
accompanied by olJier SA material such as algorithm definition. 

The VCM sends 206 a first secret(s) defining the SA pair between MNl 
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and MN2 and the HoA of MNl to MN2 via its (encapsulated) ESP SA with MNl. 
Thus there will be epd-to-end security between the VCM and the MNl. The VCM 
separately sends 210 a second secret(s) defining the SA pair between MNl and 
MN2 and the H6A of MN2 to MNl via its (encapsulated) ESP SA with MN2. Thus 
there will be end-to-end security between the VCM and MN2. Because both the 
MNs and the VCM are using public addresses, the SAs between them could also 
be direct. The encapsulation of those inner SAs inside the outer SAs between 
the MNs and tiie SG is not necessary, but when used, improves overall security. 

The MNl receives the secret(s) and the external HoA of MN2. It enters 
into its Security Association Database (SAD) a new ESP SA to MN2 and a new ESP 
SA from MN2. Each entry specifies the algorithm to be used and the secret(s) to 
be used. The MNl modifies its Security Policy Database (SPD) so that traffic 
destined for MN2 will be encrypted ushig one of the new SA pair, and traffic 
from MN2 will be decrypted using the other one of the new SA pair. After first 
modifying the inbound SPD policy (traffic from MN2), MNl sends an 
Acknowledgement message 212 to tiie VCM which forwards it to MN2. The 
outboimd SPD policy (traffic destined for MN2) is only modified after the 
reception of Acknowledgement message 208 from MN2 via VCM. This ensures 
that MN2 can decrypt the packets when they are sent by MNl. 

The MN2 receives the secret(s) and the HoA of MNl. It enters into its 
Security Association Database (SAD) a new ESP SA to the MNl and a new ESP SA 
from the MNl. Each entry specifies the algoritibm to be used and the secret(s) 
to be used. The MN2 modifies its Security Policy Database (SPD) so that traffic 
destined for MNl will be encrypted using one of the new SA pah:, and traffic 
from MNl will be decrypted u^ng the other one of tihie new SA pair. After first 
modifying the inbound SPD policy (traffic from MNl), MN2 sends an 
Acknowledgement message 208 to the VCM which forwards it to MNl. The 
outbound SPD policy (traffic destined for MNl) is only modified after the 
reception of Acknowledgement message 212 from MNl via VCM. This ensures 
that MNl can decrypt the packets when they are sent by MN2. 

The HoA received in the message from the VCM is in this embodiment 
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not necessarily used in route optimization between two nodes that already have 
a session in the external portion of the VPN (because MIPv6 may be used to 
provide the HoA directly). Instead, it is used for modification of the appropriate 
SAD entries using the new secret(s), or for securely setting up an SA between 
the HoAs by utilizing the existing SAs with SG and VCM, or for avoiding the 
unnecessary default use of direct SAs when MNs are in. the internal portion of 
the VPN. 

The new ESP SAs provide for end-to-end encryption between fh^ HoA of 
MNl and the HoA of MN2. 

The MNl uses the HoA address to route packets to MN2. When MNl first 
sends packet 214 encryplted by the new ESP SA to the HoA of MN2, it first goes 
to the HA of MN2 which forwards 216 it to the CoA of MN2. After this the 
return routabiUty and binding process between the MNl and MN2 provides 218 
the CoA of MN2 to MNl. MNl uses the CoA of MN2 to address packets 220 
destined for MN2. 

The MN2 uses the HoA address to route packets to MNl. When MN2 first 
sends packets encrypted by the new ESP SA to the HoA of MNl, they first go to 
the HA of MNl which forwards them to the CoA of MNl. After this the return 
routability and binding'process between the MN2 and MNl provides the CoA of 
MNl to MN2. MN2 uses the CoA of MNl to address packets destined for MNl. 

The return routability and binding process optimises the route between 
the MNl and MN2 CoAs and continues to do so as long as the MNs have a 
session, whether tihey are in the Interior or exterior portion of the VPN, without 
SG or VCM hitervention. When either MNl or MN2 moves to a different point of 
attachment In the external portion of the VPN a handover procedure occurs to 
the new point of attachment. The procedure is specified by MIPv6. If MNl 
moves, the CoA of MNl changes and this change is automatically 
communlcat^l to MN2. Thus llie route betwem MNl and MN2 remains 
optimised. 
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When eltber MN returns to the private network, the SA between that MN 
and the SG, which was used for communication between diat MN and the 
Interior of the VPN, no longer receives packets. This is because the MN is now in 
the internal portion of the VPN and starts to send packets unencrypted within 
the private nfetwork. This movement from the external portion of the VPN to the 
internal portion of ihe VPN is detected in the same way as the movement from 
the internal portion of the VPN to the extemal portion of the VPN (but vice 
versa) by the SG which then informs the VCM. The VCM commands the 
remaining extemal MN to amend its SAD and/or SPD so that it uses its ESP SA 
with the SG again for communication with the internal MN. 

The extemal HA need not be trusted because the existing SAs wilh SG 
and VCM guarantee that the exchanged SA secrets defining the SA between MNl 
and MN2 cannot be spoofed. 

General 

The following may relate to any and all embodiments. 

The first and second secret(s) may be symmetric keys for encryption and 
decryption. The same key being used for encryption and decryption in both 
MNs or separate keys may be used for encryption/decryption in one MN and 
used for corresponding decryption/encryption in the other MN. Alternatively, 
the secret(s) may be asymmetric keys such as public and private keys. 

The preceding description has described a VCM as a separate entity to 
the SG. This provides some advantages, in that an existing VPN can be modified 
by the addition of a physical VCM. This provides backwards compatibiUty. 
When the VCM is a separate entity from the SG it is necessary for it to have pre- 
existing SAs with the MNs. 

In another implementation, the functions of the VCM are incorporated 
into the SG and there is no physical VCM. This has the advantage of reducing 
the number of VPN entities but necessitates modification of tihe SG. This 
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Implementation is not necessarily backwards compatible with an existing SG, 
although it may be eif ected as a software update to an existing SG- When the 
VCM is part of the SG tiiere will not be separate SAs from the VCM to the MNs. 
The VCM will use the SAs of the SG to the MNs. 

The Implementation of embodiments of the invention therefore require a 
modification to the intemal VPN by the introduction of the functionality of the 
VCM and a modification to mobile nodes and to SGs. 

In tibie above described embodimentSt the session already existed between 
MNl and MN2 before both MNl and MN2 were in the external portion of the 
VPN. Thus the trigger was the detection of an existing session between two 
'extemal' MNs. This triggered the process of creating an new SA, using an 
existing SA, between the two 'external' MNs. 

An alternative or additional trigger is the detection of both: 

a) that a VPN node initiating a data transfer session is an 'external' node, and 

b) that the destination node of the data transfer is an 'extemal* node. 

This triggers the process of creating a new SA, using an existing SA, between the 
two 'external' nodes. 

The skilled reader will understand that in this document the term 
•Security Association' may at times refer to a unidirectional Security 
Association, a pair of unl-directional (inbound & outbound) Security 
Associations and the information stored to effect these Security Assodatipns. 

Although two-way communications have been described between MNl 
and MN2, in alternative embodiments of the invention there is only one-way, 
not two-way, traffic e.g. from MNl to MN2 or from MN2 to MNl. Thus, 
MN1/MN2 may be a source and destination of data, a source only or a 
destination only. 

Whilst endeavouring in tiie foregoing specification to draw attention to 
those features of the Invention believed to be of particular importance it should 
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be understood that the Applicant claims protection in respect of any patentable 
feature or combination of features hereinbefore described, referred to and/or 
shown in the drawings, whetiier or not particular emphasis has been placed 
thereon. 
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1. A gateway for connectiiig an external portion of a network to an Internal 
secured portion of the network wherein the gateway is arranged to identify 

5 automatically when a communication session exists between two mobile 
workstations both of which are connected in the external portion of the 
network. 

2. A gateway as claimed In claim 1, having means for monitoring the source 
10 and destination of received packets. 

3. A gateway as claimed in daim 1 having secure coiDmimication means by 
which information is transferable securely to the two mobile workstations 
separately. 

15 

4. A gateway as claimed in daim 3 wherein the secure commiinication 
means indudes a first Security Assodation with a first mobile workstation and 
a second Secmlty Assodation with a second mobile workstation. 

20 5. A gateway as claimed in daim 3 or 4, wherein the gateway is arranged to 
send, using the secure communication means, an identifier of a second mobile 
workstation to a first mobile workstation for use as an address in a packet 
originating from the first mobile workstation and destined for tiie second 
mobile workstation 

25 

6. A gateway as daimed in daim 5 wherein the identifier of the second 
mobile workstation is a Home Address. 

7. A gateway as daimed in any one of daims 3 to 6, wherein the gateway is 
30 arranged to send, using the secure communication means, an identifier of tiie 

first mobile workstation to the second mobile workstation for use as an address 
in a packet originating from the second mobile workstation and destined for the 
first mobile workstation. 
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8. A gateway as claimed in claim 7 wherein the identifier of tibie first mobile 
workstation is a Home Address. 

9. A gateway as claimed in any one of claims 3 to 8, wherein the gateway is 
5 arranged to send first secmity information to the first mobile workstation and 

second security information to the second mobUe workstation using the secure 
communication means, wherein the first mobile, workstation uses the first 
security information and the second mobile workstation uses the second 
security information to enable a second secure commtmication means by which 
10 further information is transferable securely between the first mobile 
workstation and the second mobile workstation witiiout passing through the 
gateway. 

10. A gateway as claimed in claim 9, wherein the second secure 
15 commimication means comprises Security Associations. 

11- A gateway as claimed in any one of claims 1 to 10 wherein the gateway is 
further arranged to identify automatically when a mobile workstation moves 
between the internal and the external portions of the network. 

20 . 

12. A network including an internal secured portion which connects, via a 
gateway to an external portion, the network comprising a plurality of 
workstations including mobile workstations; the gateway and secme 
communication means by which information is transferable securely to a first 

25 mobile workstation in the external portion of the network via the gateway and 
by which information is transferable securely to a second mobile workstation in 
the external portion of the network via the gateway; and information transfer 
means located within the internal secured portion of the network or within the 
gateway and arranged to send, using the secure communication means, an 

30 identifier of the second mobile workstation to the first mobile workstation for 
use as an address in a packet originating from the first mobile workstation and 
destined for the second mobile workstation. 
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means is furtha* arranged to send, using the secure communication means, an 
identifier of the first mobile workstation to tide second mobile workstation for 
use as an address in a packet originating from Ae second mobile workstation 
and destined for the first mobile workstation. 

14. A network as claimed in daim 12 or 13 wherein the identifier of a mobile 
workstation is a Home Address of the mobile workstation. 

15. A network as claimed in any one of claims 12 to 14 wherein the secure 
commxmlcation means provides an encrypted communications channel to the 
first mobile workstation and an enoypted communications channel to the 
second mobile workstation. 

16. A network as claimed in any one of claims 12 to 15 wherein the secure 
communication means comprises a first Security Association and a second 
Security Association. 

17. A network as claimed in any one of claims 12 to 16 whereiD the gateway 
is arranged to detect a coromunications session between two mobile 
workstations which are connected at the external portion of the network. 

18. A network as claimed in any one of claims 12 to 1 7 further comprising: 
means for dynamically updating, an identifier of the first mobile 

workstation as it moves within the extemal portion of tihe network; 

means for commimicating the updated identifier of the first mobile 
workstation to the second mobile workstation; and 

means for sending packets from the second mobile workstation to the 
first mobile workstation using the second secure communication means, 
wherein the packets are addressed using the updated id^tifier of llie first 
mobile workstation. 

19. A network as claimed in daim 18 wherein titie updated identifier is a 
Care-of-Address. 
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20. A network as daimed in any one of claims 12 to 19 wherein the network 
is arranged to use private addresses to conmiimicate within the internal portion 
of the network and the identiEier of the second workstation is a public address. 

21. A method of securely routing communications between a first mobile 
node and a second mobile node of a network including an intemal secured 
portion which connects, via a gateway to an external portion, comprising the 
steps of: 

maintaining a secure conomunication means by which information is 
transferable securely to a first mobile node in the external portion of tiie 
network via die gateway and by which information is transferable securely to a 
second mobile node in tiie extemal portion of tiie network via the gateway; 

sending an identifier of the second mobile node to the first mobile node 
using the secm^ communication means; and 

addressing a packet sent from the first mobile node to the second mobile 
node using the identifier of the second mobile node and routing the packet, 
using the identifier of the second mobile node, from the first mobile node to 
the second mobile node, not necessarily via the gateway. 

22. A method as claimed in dalm 21 further comprising the steps of: 
sending an Identifier of the first mobile node to the second mobile node 

using the secure commtmication means; and 

addressing a packet sent from the second mobile node to the first mobile 
node using the identifier of the first mobile node and routing the packet from 
the second mobile node to the first mobile node, not necessarily via the 
gateway. 

23. A mobile workstation for connecting to an extemal portion of a network 
that indudes an Intemal secured portion connected, via a gateway to the 
extemal portion, comprising: 

means for using a secure commimication means by which information is 
transferable securdy from tihe intemal portion of the network to the mobile 
workstation via the gateway; 

means arranged to receive, via die first secure communication means, an 
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identifier of another mobile workstation also connected to the e3ctemal portion 
of the network; and 

means for including the identifier of tiie other mobile workstation as an 
address in a packet for transmission to the other mobile workstation. 

24. A virtual private network including an internal secured portion which 
connects, via a gateway to an external portion, the network being arranged to 
conmiimicate within the internal portion of the network using private addresses 
and comprising: 

a plurality of workstations including mobile workstations; 

the gateway; 

first secure communication means by which information is transferable 
securely to a first mobile workstation connected at the external portion of the 
network via the gateway and by which information is transferable securely to a 
second mobile workstation connected at the external portion of the network via 
the gateway; and 

information transfer means arranged to send first security information 
to the first mobile workstation and second security information to the second 
mobile workstation using the first secure communication means, wherein the 
first mobile workstation uses the first security information and the second 
mobile workstation uses the second security information to enable a second 
secure coromunication means by which further information is transferable 
secucrely between the first mobile workstation and the second mobile 
workstation wltibout passing through the gateway. 

25. A virtual private network as claimed in claim 24, wherein the further 
information is transferable in packets using public addresses. 

26. A network as claimed in claim 24 or 25, wherein the first secure 
communication means provides an encrypted communications channel to the 
first mobile workstation and an encrypted communications channel to the 
second mobile workstation. 




27. A network as claimed in daim 24, 25 or 26 wherein the first secure 
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comrDimication means comprises a first Security Association and a second 
Security Association. 

28. A network as claimed in any one of daim 27, wherein the first Security 
5 Association is from the gateway to the first mobile workstation and tibie second 

Security Association is from the gateway to the second mobile workstation. 

29. A network as claimed in daim 28 wherein the first Security Assodation 
is from the internal portion of the network to the first mobile workstation and 

10 the second Security Assodation is from the internal portion of tiie network to 
the second mobile workstation. 

30. A network as daimed in daim 27, 28 or 29, wherein commuxdcations 
using the first and second Security Assodations use addresses which are 

15 private. 

31. A network as daimed in any one of daims 24 to 30, wherein the second 
secure communication means provides encrypted communications channds 
between the first and second mobile workstations. 

20 

32. A network as daimed in daim 31 wherein the first and second security 
information define the encryption/decryption of the encrypted communications 
channds. 

25 33. A network as daimed in any one of daims 24 to 32 wherein the second 
secure communication means comprises at least a tinrd Seciuity Assodation 
firom the first mobile workstation to the second mobile workstation. 

34. A network as daimed in daim 33 wherein first and second security 
30 information defines at least the third Security Assodation. 

35. A network as daimed in any one of daims 24 to 34, wherein at least a 
portion of the first security information and at least a portion of the second 
security information are created within the internal portion of the network. 
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36. A network as claimed in any one of claims 24 to 35, wherein the gateway 
is arranged to detect a conunmiications session between two mobile 
workstations which are connected at the external portion of the network. 

37. A network as claimed in any one of claims 24 to 36, wherein the second 
secure conmiimication means is enabled by the adaptation of databases in the 
first and second mobile workstations. 

38. A network as claimed in any one of claims 24 to 37, further comprising: 
information transfer means arranged to send, using the first secure 
commimication means, an identifier of the second mobile workstation to the 
first mobile workstation for use as an address in a packet originating from the 
first mobile workstation and destined for the second mobile workstation. 

39. A network as claimed in claim 38 wherein the identifier of the second 
mobile workstation is a Home Address. 

40. A network as claimed in daim 38 or 39, wherein the identifier of the 
second mobile workstation Is a public address. 

41. A network as claimed in any one of claims 24 to 40 further comprising: 
means for dynamically updating an identifier of the first mobile 

workstation as it moves within the external portion of the network; 

means for commimicating the updated identifier of the first mobile 
workstation to the second mobile workstation; and 

means for sending packets from the second mobile workstation to the 
first mobile workstation using the second secure communication means, 
wherein the packets are addressed using the updated identifier of the first 
mobile workstation. 

42. A network as claimed in claim 41 wherein the updated identifier is a 
Care-of-Address. 
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43. A method of securing commumcatioxis between a first mobile node and a 
second mobile node of a virtual private network including an internal secured 
portion which connects, via a gateway to an external portion, comprising the 
steps of: 

5 communicating within the intemal portion of the network using private 

addresses; 

maintaining a first secure communication means by which Information 
is transferable seciu^y to the first mobile node in the estemal portion of the 
network via the gateway and by which information is transferable securely to a 
10 second mobile node in Ae external portion of titie network via the gateway; 

sending first security information to tiie first mobile node using the first 
seciu*e coitmiunication means; 

sending second security information to the second mobile node using the 
first secure communication means; 
15 creating a second secure coromimication means in the first mobile node, 

using the first security information tn the first mobile node and the second 
security information in the second mobile node; and 

using the second secure communication means, and not the first secure 
communication means, for transferring further information between the first 
20 and second mobile nodes while they both remain in the external portion of tiie 
network. 

44. A mobile workstation for connecting to a virtual private network that 
includes an Intemal secured portion connected, via a gateway to the external 

25 portion, and for communicating while in tiie intemal portion using packet 
addresses which are private to the network, the mobile workstation comprising: 
means for using a first secure communication means by which packets 
addressed to the private address of the mobile workstation are transferable 
securely fi:om tihie intemal portion of the network to the mobile workstation via 

30 the gateway 

means arranged to receive, via the first seciu*e communication means, 
first secmity information for enabling a second secure communication means; 
and 

means for using the enabled second secure communication means to 




PCT/IB02/0429i 



PCT/IB02/04295 



30 

securely receive further packets, addressed to a public address of the mobile 
workstation, from another mobile workstation also in the external portion of 
the network. 

45. A mobile workstation as claimed in daim 44 further comprising a 
database and means for modifying the database in response to the received first 
security information. 

.46. A mobile workstation as claimed in claim 45 wherein the database 
includes a Security Association Database (SAD) which is modified to include a 
new Security Association. 

47. A mobile workstation as claimed in datm 46 wherein the database 
Indudes a Security Policy database which is modified so that packets for the 
other mobile workstation use tlie new Security Assodation- 

48- A virtual private network induding an internal secured portion which 
connects, via a gateway to an external portion, the network being arranged to 
communicate within the internal portion of the network using private addresses 
and comprising: 

a plurality of workstations induding mobile workstations; 

the gatewa>^ 

secure communication means by which information is transferable 
securdy, without passing ^ough the gateway, between a first mobile 
workstation connected to the external portion of the network and a second 
mobile workstation connected to the external portion of ilie networlq 

means for dynamically updating an identifier of the first mobile 
workstation as it moves within the external portion of the network; 

means for communicating the updated identifier of the first mobile 
workstation to the second mobile workstation; and 

means for sending packets from the second mobile workstation to tiie 
first mobile workstation using the seciure communication means, wherein the 
packets are addressed using the updated identifier of the first mobile 
workstation and are routed witiiout necessarily passing through the gateway. 
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49. A network as claimed in claim 48 wherein the updated identifier is a 
Care-of-Address. 

5 50. A network as claimed in claim 48 or 49 wherein the seoire 
communication means provides encrypted commimlcations channels betweoi 
the first and second mobile workstations. 

51. A network as claimed in any one of daims 48 to 50 wherein the secure 
10 commimication means comprises a Secmity Association from the first mobile 

workstation to the second mobile workstation and a Security Association from 
the second mobile workstation to the first mobile workstation. 

52. A network as claimed in any one of claims 48 to 51 wherein the secure 
15 commimication means is enabled by databases in the first and second mobile 

workstations. 

53. A method of optimising the routing of seou-e communications between a 
first mobile node and a second mobile node of a network including an internal 

20 secured portion which connects, via a gateway to an external portion,, 
comprising the steps of: 

communicating within the internal portion of the network using private 
addresses; 

creating a secure communication means by which information is 
25 transferable securely, without passing through the gateway, between a first 
mobile node of the external portion of the network and a second mobile node of 
the external portion of the network; 

moving the first mobile node within the external portion of the network; 
modifying an identifier of the first mobile node in response to its 
30 movement 

communicating the modified identifier of the first mobile node to the 
second mobile node; and 

sending a packet from the second mobile node for reception by the first 
mobile node, without necessarily passing via the gateway, after addressing it 
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ustDg the updated identifier of the first mobile and securing it using the secure 
conununication means. 



54. A mobile workstation for coimecting to an external portion of a network 
that Includes an internal secured portion connected, via a gateway to the 
external portion, comprising: 

means for communicating using private addresses when in the internal 
portion of the network; 

means for enabling and using a secure communication means by which 
information is transferable securely from the mobile workstation, when in the 
extemal portion of the network, to another mobile workstation connected to flie 
external portion of the network without passing through the gatewa^^ 

means for receiving an identifier of the other mobile workstatiLoi^ and 

means for sending packets, when in the extemal portion of the network, 
to the other mobile workstation using the secure communication means and 
the received identifier. 



55. A mobile workstation as claimed In claim 54 wherein the identifier is a 
pubUc address. 

56. A mobile workstation as claimed in claim 55 wherein the identifier is a 
Home Address or a Care-of-Address. 
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ABSTTIACT 



A security gateway connects an external portion of a virtual private 
network to an internal secured portion of the network. The gateway Is arranged 
to identify automatically when a communication session odsts between two 
mobile workstations both of which are connected in the external portion of the 
network. 

The mobile workstations are titien enabled to communicate with eadi 
other without using die gateway as an intermediary. This communication can 
be secured. Hie route by which packets are transferred between title 
workstations may then be optimised. 
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